JFlow: practical mostly-static information flow control
Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A sound type system for secure flow analysis
Journal of Computer Security
Certification of programs for secure information flow
Communications of the ACM
A uniform type structure for secure information flow
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Secure Information Flow as Typed Process Behaviour
ESOP '00 Proceedings of the 9th European Symposium on Programming Languages and Systems
Mathematical Models of Computer Security
FOSAD '00 Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures
Securing Communication in a Concurrent Language
SAS '02 Proceedings of the 9th International Symposium on Static Analysis
Information Flow Control and Applications - Bridging a Gap
FME '01 Proceedings of the International Symposium of Formal Methods Europe on Formal Methods for Increasing Software Productivity
Eliminating Covert Flows with Minimum Typings
CSFW '97 Proceedings of the 10th IEEE workshop on Computer Security Foundations
Process Algebra and Non-interference
CSFW '99 Proceedings of the 12th IEEE workshop on Computer Security Foundations
Possibilistic Definitions of Security - An Assembly Kit
CSFW '00 Proceedings of the 13th IEEE workshop on Computer Security Foundations
CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
A Simple View of Type-Secure Information Flow in the "-Calculus
CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
High Integrity Software: The SPARK Approach to Safety and Security
High Integrity Software: The SPARK Approach to Safety and Security
A unifying approach to the security of distributed and multi-threaded programs
Journal of Computer Security - Special issue on CSFW14
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Enforcing security and safety models with an information flow analysis tool
Proceedings of the 2004 annual ACM SIGAda international conference on Ada: The engineering of correct and reliable software for real-time & distributed systems using Ada and related technologies
On flow-sensitive security types
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Information-Flow Security for Interactive Programs
CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
Dynamic Dependency Monitoring to Secure Information Flow
CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Cryptographically-masked flows
Theoretical Computer Science
Termination-Insensitive Noninterference Leaks More Than Just a Bit
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
On the Foundations of Quantitative Information Flow
FOSSACS '09 Proceedings of the 12th International Conference on Foundations of Software Science and Computational Structures: Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009
Efficient purely-dynamic information flow analysis
Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
Tight Enforcement of Information-Release Policies for Dynamic Languages
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Language-Based Isolation of Untrusted JavaScript
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Securing Timeout Instructions in Web Applications
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Proceedings of the 16th ACM conference on Computer and communications security
A lattice-based approach to mashup security
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Automata-based confidentiality monitoring
ASIAN'06 Proceedings of the 11th Asian computing science conference on Advances in computer science: secure software and related issues
Tracking information flow in dynamic tree structures
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Isolating JavaScript with filters, rewriting, and wrappers
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Permissive dynamic information flow analysis
PLAS '10 Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security
Dynamic vs. Static Flow-Sensitive Security Analysis
CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
Noninterference through Secure Multi-execution
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Bridging language-based and process calculi security
FOSSACS'05 Proceedings of the 8th international conference on Foundations of Software Science and Computation Structures
From dynamic to static and back: riding the roller coaster of information-flow control research
PSI'09 Proceedings of the 7th international Andrei Ershov Memorial conference on Perspectives of Systems Informatics
Language-based information-flow security
IEEE Journal on Selected Areas in Communications
Multiple facets for dynamic information flow
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Precise enforcement of progress-sensitive security
Proceedings of the 2012 ACM conference on Computer and communications security
Faceted execution of policy-agnostic programs
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
Hi-index | 0.00 |
Event-based communication is a major source of power and flexibility for today's applications. For example, in the context of a web browser, the dynamism of user experience is driven by events: fine-grained interaction of the user with a web application triggers events reactively handled by JavaScript code. This paper explores channels for leaking sensitive information through constructs in a reactive language. We propose a general and realizable security framework for preventing information leaks in a reactive setting with such features as new handler creation and hierarchical event structures. While prior work largely takes an all-or-nothing approach to information flows due to intermediate output, our framework tightly regulates the bandwidth of such flows: at most log(n + 1) bits are allowed to be released, where n is the number of public inputs to the program. We gain flexibility from distinguishing between the security levels of message existence and content. A combination of flow-sensitive analysis and buffering output enables us to enforce security without being overly restrictive.